You are here:

Intel sets team on thwarting car hackers

Security experts seek to plug holes before it's too late

With computers playing an ever-increasing role in driving cars there's a real concern over hackers taking over control systems – so much so that Intel has put a dedicated team on the case.

In a US garage the security staff search for electronic bugs that could make cars vulnerable to lethal computer viruses.

Intel's McAfee unit is one of a handful of firms that are looking to protect the dozens of tiny computers and electronic communications systems that are built into every modern car.

Security experts say that car manufacturers have so far failed to adequately protect these systems, leaving them vulnerable to hacks by attackers looking to steal cars, eavesdrop on conversations, or even harm passengers by causing vehicles to crash.

If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening

"You can definitely kill people," said John Bumgarner, chief technology officer of the US Cyber Consequences Unit a research organisation, underlining the potential for targeted computer attacks on networks and products.

To date there have been no reports of violent attacks on vehicles using a computer virus, according to SAE International, an association of more than 128,000 technical professionals working in the aerospace and the auto industries.

Yet, Ford spokesman Alan Hall said his company had tasked its security engineers with making its Sync in-vehicle communications and entertainment system as resistant as possible to attack. "Ford is taking the threat very seriously and investing in security solutions that are built into the product from the outset," he said.

And a group of US computer scientists shook the industry in 2010 with a landmark study that showed viruses could damage cars when they were moving at high speeds. Their tests were done at a decommissioned airport.

The computer scientists issued a second report last year that identified ways in which computer worms and trojans could be delivered to cars via on-board diagnostics systems, wireless connections and even tainted CDs played on radios systems.

Widespread impact

They did not say which company manufactured the cars they examined, but did say they believed the issues affected the entire industry, noting that many manufacturers use common suppliers and development processes.

Toyota said it was not aware of any hacking incidents on its cars and said it had built-in protections. "They're basically designed to change coding constantly. I won't say it's impossible to hack, but it's pretty close," said Toyota spokesman John Hanson.

But Bruce Snell, a McAfee executive who oversees his company's research on car security, said the car industry was concerned about the potential for cyber attacks because of the frightening repercussions. "If your laptop crashes you'll have a bad day, but if your car crashes that could be life threatening," he said. "I don't think people need to panic now. But the future is really scary."

A McAfee spokeswoman said that among those hackers working on pulling apart cars was Barnaby Jack, a well-known researcher who has previously figured out ways that criminals could force ATMs to spit out cash and cause medical pumps to release lethal doses of insulin.

Computers on wheels

White hats are increasingly looking beyond PCs and data centres for security vulnerabilities that have plagued the computer industry for decades and focusing on products like cars, medical devices and electricity meters that run on tiny computers embedded in those products.

Interesting that a BMW has been used for the illustration. A quick search on youtube shows how easy it is to steal one with a laptop and an ODB-II lead.The problem, interestingly, is apparently competition law. Car manufacturers aren't allowed to encrypt the stuff available at the ODB port, for fear of inconveniencing back street garages.What a lot of savvy BMW owners have started doing is adding a secret switch, so that the port is normally inactive.

There's always a trade-off between the wonderful performance and convenience of programmable electronic systems, and their vulnerability to attack: systemic or catastrophic.My neighbour won't buy a car with an ECU, preferring old-fashioned non-turbo deisels. His reasoning is that he can physically 'fix' any problems (he's a mechanical engineer), and there isn't a black box to 'blow up' and cost a fortune to replace. The obvious downside is emissions like a Chinese power station, fuel-economy to match and 'stately' performance.When not only the ECU, but the entire car is managed \ controlled by programmable electonics you start to add all the security concern raised in this piece. The Toyota FBW throttle problems of a few years ago are indicative of how serious (particularly financially) such issues can be......

" The problem, interestingly, is apparently competition law. Car manufacturers aren't allowed to encrypt the stuff available at the ODB port, for fear of inconveniencing back street garages."Alternatively one might argue that it's not encrypted in order to prevent Main Dealers from having a monopoly and ripping off their customers even more.....It seems BMW's security implementation is at fault, rather than the standardised vehicle diagnosis system.

Alas not. If you have a browse round the Pistonheads website, there's a very interesting thread where a chap had his Beemer 1M nicked from his drive in full view of his CCTV cameras. A small hole was knocked in the driver's side window - just big enough to get to the OBD port without setting off the car alarm. 4 minutes of tinkering later, the miscreants had hacked themselves a nice new motor. Lots of people on that thread, including me, have since added a secret switch....

Well good luck picking mine out of the millions of beemers on the road today. And if you do find it, and figure out a route around my triple-dastardly secret switch (I work in the security industry, so know a trick or two), then you can have the car with my blessing :)

Why does the computer that runs the entertainment system (CD, MP3 player) and connects to the outside world (GPS, GPS traffic updates over 3G, Bluetooth etc.) need to be connected to the computer(s) that control the engine, brakes etc.? Is there any reason they can't be completely separate, ie. not physically or wirelessly connected to each other in any way?Also agree with Throbinevans - I don't want McAfee software anywhere near any car I drive or am a passenger in ;)